This story simply astonishes me. Anyone who doesn’t know the difference between GET and DELETE has no business designing a web app for their kid’s lemonade stand, much less taking on a multi-month contract for the government. Not that I haven’t seen mistakes like this before, but what really gets my goat is that the government agency doubtless paid a huge amount of money to these morons to develop their site. Doubtless these mouth breathers had the necessary security clearances, and wore the right suits, and took the right people out to play golf. Iâ€™m sure the fact that they had no fucking clue how the Web works never entered anyoneâ€™s mind.

One of these days I’ve got to figure out how to get jobs like these. I am certain I could have done the same job in less time and at probably 10% of the cost these blithering idiots charged. For one thing, I wouldn’t have tried to implement a content management system from scratch instead of starting with a well-understood, well-respected, well-written open source system.

My problem is that I have no patience for playing the dress-up games that pass for due diligence. I’m really tired of jobs where the initial paperwork and get-to-know-you meetings take longer than the job itself. Seriously, if you need a smart guy who really does understand the Web to help you out, either by directly designing and implementing such systems for you, or by reviewing the work of others so you can find out whether your current contractors are actually savvy web folk or law school/business school/art school posers, talk to me. I charge a flat per-day rate, and I’ll probably get your job done in a fraction of the time and cost the big agencies are charging you. I favor simple systems that work over complex systems that generate more consulting fees.

One warning however: I’m very much a roll-up-your sleeves and get to work sort of guy. I have extremely little patience for NDAs, lawyers, 100-page contracts for ten-hour jobs, urine tests, Net-60 billing, and all the other bureaucratic hassles that infest American business in the 21st century. If that’s the sort of company you work for, don’t bother calling me. Call the big boys that have their own lawyers on staff just to handle the hassle of dealing with all the bureaucratese (and be ready to pay ten times as much to cover the overhead on both sides). But if you’re ready to get to work and get something done, or if you just need a quick outside sanity check on the web system you’re already building, drop me a line. I’d be glad to help out.

I’m sorry, but I have a hard time seeing the relation between “get” and “delete” HTTP methods and the problem described in the WTF entry. This entry describes the situation where “Delete” links (you know, those that you click when you want to delete something) were left in the articles posted because authors copy-pasted the content containing an “edit” link which brought the Google robot to the new page containing the .. aha! a “Delete” link.

If I understand you correctly – you was referencing to the HTTP methods, so aren’t you missing the point ?

P.S.
Also, aren’t you trying too hard to advertise yourself ? I guess it’s the second time I see the shameless plug in your entries. Really, a separate page dedicated to this matter with however detailed description to what you have absolutely no patience would do the job, wouldn’t it ? Kind of “Hire Me!” link.

The WTF article completely misdiagnosed the problem. It seems that neither the author of the article (Alex Papadimoulis), the consultants who designed the system, the government agency that paid for the system, the consultant who analyzed the symptoms (Josh Breckman), nor most of the commenters on that article have any clue of what the real mistake was.

It has nothing to do with cookies. It has nothing to do with passwords. It has nothing to do with JavaScript. It has nothing to do with copy and paste. It has nothing to do with failure to authenticate. These are all red herrings, though they made mistakes in all of these too. However if they had fixed every one of those mistakes they still would have been sitting on a time bomb waiting to go off and delete their site.

The fundamental problem was responding to a GET request by deleting a page. GET requests must be idempotent and side-effect free. They designed a system where this wasn’t true. Everything else is secondary to this major mistake.

Ok, thanks a lot for the explanation but still – you’re proposing the correct solution while I was reviewing what actually happened which still has nothing to do with GET/DELETE methods (Ok, ok, it has to do with those methods but see below)

And .. come on :) Please, show me the system using *exclusively* the DELETE method for removing the content. I bet 99% of existing web applications doesn’t do it (may be it’s just my ignorance but I never saw/heard of anyone actually doing it – really, I would be glad to see some examples). Of course, it doesn’t say nobody gets the difference between GET and DELETE it just says that almost nobody ever uses it for what it was invented. In my world all delete operations and those having other side-effects are implemented with GET/POST requests plus confirmation screens. I mean, I totally agree with what you say about GET/DELETE – it just that nobody uses it except couple of extraordinary folks here and there.

P.S
I remember some of the links on your site weren’t working in IE (couple of years ago, yes, I’m a long-time follower of your work and books, in fact) because their extension was “.xhtml”. Back then you seemed to prefer the perfect solution to the *working* solution. Isn’t situation the same with DELETE methods ?
I consider myself to be a perfectionist as well but I feel like sometimes you’re going too far to the level of becoming non-pragmatic.